Microsoft whacks Google with 'responsibly' disclosed remote-code execution flaw in Chrome
"Chrome's relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one," sniffs Microsoft
Software giant Microsoft has been quick to publicise a remote code execution (RCE) vulnerability it has found in the Google Chrome web browser, after Google twice this year embarrassed Microsoft over disclosures of unpatched security flaws.
Last year, Microsoft penned a blog post criticising Google for not disclosing security vulnerabilities responsibly after it disclosed a major Windows bug before Microsoft was ready to patch it.
Microsoft this week took the opportunity to demonstrate what it thinks is a responsible disclosure, and in a blog post has detailed a remote Chrome vulnerability that it discovered last month and disclosed to Google on 14 September.
"Our discovery of CVE-2017-5121 indicates that it is possible to find remotely exploitable vulnerabilities in modern browsers," Microsoft's Offensive Security Research (OSR) team said in its post. "Chrome's relative lack of RCE mitigations means the path from memory corruption bug to exploit can be a short one."
Google patched the problem within a week in its beta versions of Chrome, but Microsoft notes that, although now fixed, the stable and public channel "remained vulnerable for nearly a month".
This is a big deal, according to Microsoft, as it notes that Google made the source code for the fix available on Github ahead of the stable channel fix, which means - in theory, at least - that attackers had a month to exploit the bug.
"This can be expected of an open-source project, but it is problematic when the vulnerabilities are made known to attackers ahead of the patches being made available," claimed Microsoft.
The company added that while parts of its own Edge browser are also open source, "we believe that it's important to ship fixes to customers before making them public knowledge".
Google paid Microsoft a $7,500 bug bounty for disclosing the Chrome vulnerability, along with another $8,337 for other uncovered bugs, which the company donated to charity.